config: fix dfp config validation#17835
Merged
alyssawilk merged 4 commits intoenvoyproxy:mainfrom Aug 25, 2021
Merged
Conversation
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Contributor
Author
|
@mattklein123 I think this fixes the issue we had with Envoy Mobile. Normally I'd runtime guard the new validation but it may happen before runtime, and arguably allow_insecure_cluster_option has been around so offers a similar level of "theoretically already plumbed ways to make the error go way". WDYT? |
mattklein123
requested changes
Aug 25, 2021
Member
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Thanks for fixing. LGTM with small comment.
/wait
Comment on lines
+203
to
+208
| if (!options.has_value() || | ||
| (!options.value().auto_sni() || !options.value().auto_san_validation())) { | ||
| throw EnvoyException( | ||
| "dynamic_forward_proxy cluster must have auto_sni and auto_san_validation true unless " | ||
| "allow_insecure_cluster_options is set."); | ||
| } |
Member
There was a problem hiding this comment.
I think you can remove this check from above (and just set the legacy option) since this should check both cases after the cluster is created?
leyao-daily
reviewed
Aug 25, 2021
| * aws request signer: fix the AWS Request Signer extension to correctly normalize the path and query string to be signed according to AWS' guidelines, so that the hash on the server side matches. See `AWS SigV4 documentaion <https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html>`_. | ||
| * cluster: delete pools when they're idle to fix unbounded memory use when using PROXY protocol upstream with tcp_proxy. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.conn_pool_delete_when_idle`` runtime guard to false. | ||
| * ext_authz: fix the ext_authz filter to correctly merge multiple same headers using the ',' as separator in the check request to the external authorization service. | ||
| * dynamic forward proxy: fixing a validation bug where san and sni checks were not applied setting :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` via :ref:`typed_extension_protocol_options <envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`. |
Member
There was a problem hiding this comment.
Looks good! And please move it to be an alphabetical order.
Contributor
Author
|
/wait |
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Contributor
Author
|
Ok, sorted CI woes, PTAL! |
mpuncel
added a commit
to mpuncel/envoy
that referenced
this pull request
Aug 25, 2021
* main: config: fix dfp config validation (envoyproxy#17835) docs: updating where meetings are uploaded (envoyproxy#17832) h2: moving a comment (envoyproxy#17846) quiche: early fail listener config with both quic and connection_balencer (envoyproxy#17834) dns: configuring a basic key value store to persist to disk (envoyproxy#17745) quic: fix receiving STOP_SENDING (envoyproxy#17815) tooling: Add Github release manager (envoyproxy#17741) tooling: Use upstream pytest-patches (envoyproxy#17809) Remove `hidden_envoy_deprecated_use_http2` (envoyproxy#17805) kafka: produce request for mesh-filter (envoyproxy#17818) Signed-off-by: Michael Puncel <mpuncel@squareup.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message: fix DFP not doing san/sni checks with new style upstream config
Risk Level: high. people with broken configs will now have them rejected
Testing: updated tests
Docs Changes: n/a
Release Notes: inline